Mobile Device Forensics

Mobile Device Forensics Update 1


Applications are the backbone of every modern mobile operating system. With millions of applications available, it has become difficult to guarantee the security of user data on mobile phones. This project aims to find and document artifacts left by popular mobile apps. Our analysis will cover the three leading mobile operating systems: Android, iOS, and Windows Phones.


The goal of our team is to analyze fifteen applications over the duration of the project. We wanted to focus on apps large enough to have a notable user-base, but niche enough that they haven’t been analyzed by other teams. We also wanted to cover as wide a variety of apps as possible, rather than lock ourselves into a single category. We’ve broken the project into five segments, each with applications that fit into a certain theme.

Viber     Telegram        Line

Our first segment will focus on personal messaging applications: Viber, Telegram, and Line. All these apps have millions of monthly active users. This makes us curious about what artifacts we may find within them. Telegram specifically is of interest, since they advertise encrypted chats for extra security. Any data we may be able to recover from Telegram’s secure chats would be an important discovery.

Rabbit   Twitch  Expedia

Our next line of focus is on more miscellaneous applications: Rabbit, Twitch, and Expedia. Twitch is a popular streaming app that caters to gamers. It allows users to stream their screen live from their location to share their gameplay. Twitch also enables them to add audio and video of themselves. Rabbit is another streaming app. It allows multiple users to watch TV or movies simultaneously. It uses a virtual browser, which shouldn’t store any data after the user ends their session. Unlike the other two, Expedia is a travel application; it logs hotels, flight information, car rentals, and more. If this information is recoverable, it could be valuable in a forensic investigation.

The Weather ChannelWeather Underground   Weather Live

Our third set of applications revolve around the weather. We focused our attention on The Weather Channel, Weather Underground, and Weather Live – Local Forecast. All of these apps have large user-bases, with some users relying on the apps for information more than once a day. There is potential for weather apps to store device location and search history. Because of this, checking on and ensuring the security of applications such as these would be prudent.

GarminTrelloNike+ Run Club

The fourth segment will include fitness and productivity applications. Our two choices for fitness apps are Garmin Connect and Nike+ Run Club. Nike+ Run Club helps users track their runs, storing detailed location history. Garmin Connect also collects similar data with the added ability to pair with Garmin fitness trackers. This allows the app to collect additional biometric data such as step count and heart rate. Our third app, Trello, is a productivity app used to help manage workflow. Trello allows its users to add “cards” to “boards” with images, text, and links for organizational purposes. It’s designed to contain information that can be sensitive when used in a professional environment. This means confirming its security is important.

Cortana            Google Assistant          Google Hangouts

In our last segment we will be taking a look at Cortana, Google Assistant, and Google Hangouts. We have high hopes for the assistant applications since aspects of their functionality rely on them always listening. Google Hangouts also presents some exciting opportunities related to a user’s chat activity. We want to explore how much information can be recovered compared to how much information is stored on Google’s servers.


As we being our research, a plethora of potential forensic artifacts lie before us within our selected applications. Each segment will consist of wiping the phones, installing the applications, and generating data. We will then analyze this information. We are excited to begin our work, and to share it here on our blog.

Stay tuned for more updates to come and follow us on Twitter @ChampForensics, Instagram @ChampForensics, and Facebook @ChamplainLCDI.